French privacy authority gives Google 3 months to change its ways

France’s data protection authority has given Google three months to change the way it handles users’ private data, or face legal sanctions.

The order, made on June 10 and published Thursday, is the result of a formal investigation begun by the French National Commission on Computing and Liberty (CNIL) in April, after the company repeatedly rejected requests to reverse changes it made to its privacy policy in March 2012.

In its June 10 decision, CNIL ordered Google to clearly explain to users the ways in which data collected about them will be used; to keep data for no longer than is necessary for the purposes it has declared to users; not to combine data from different sources without legal authority; to fairly process data collected from “passive” users of Google’s services through DoubleClick and Analytics cookies or Google +1 buttons on the pages they visit; and to obtain informed consent from users before storing cookies in their mobile phone, PC or other terminal.

If it does not comply, Google could face a fine of a maximum of €150,000 (or €300,000 for a second offense), and could in certain circumstances be ordered to refrain from processing personal data in certain ways for a period of three months.

Such orders are usually secret, but CNIL decided that, given the gravity of the situation, it would publish the order as an additional sanction against Google.

Five other European data protection authorities began similar formal investigations of Google’s privacy policy in April. The Spanish regulator has notified Google of its intention to impose sanctions if it does not comply with Spanish data protection law. The Data Protection Commissioner of Hamburg has also opened a formal procedure against Google, while authorities in the U.K., Italy and the Netherlands are still studying Google’s updated privacy policy or are awaiting information from the company in order to determine whether it complies with local data protection laws.